Hackers penetrated the internal defenses of firm that works with energy gear.

A provider of software that helps large swaths of the energy industry remotely monitor and control sensitive equipment is investigating a sophisticated hacker attack that managed to penetrate its internal defenses, according to a published report.

Malware signatures installed on the systems operated by Telvent Canada Ltd. strongly suggest the attack involved a Chinese hacker group known as the "Comment Group," KrebsOnSecurity reporter Brian Krebs wrote in an article published on Wednesday. Over the past few years, the group has targeted a variety of Fortune 500 companies, presumably to obtain blueprints, software source code, and other intellectual property that will allow Chinese industries to catch up to their Western counterparts.

In a series of letters sent to customers over the past week, Telvent Canada officials warned that the company's internal firewall and security systems were breached and malware was installed. Files related to one of its core offerings—a product known as OASyS SCADA, which helps energy firms "mesh older IT assets with more advanced 'smart grid' technologies"—were also taken during the intrusion, according to Krebs.

"In order to be able to continue to provide remote support services to our customers in a secure manner, we have established new procedures to be followed until such time as we are sure that there are not further intrusions into the Telvent networks and that all virus or malware files have been eliminated," a September 10 letter obtained by Krebs said. "Although we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent."

The intrusion underscores the vulnerability of industrial control systems, which use networked computers to flip switches, open valves, and manipulate other types of physical equipment located in dams, gasoline refineries, and other critical infrastructure. Many security experts have long exhorted companies to keep SCADA, or supervisory control and data acquisition, and other such systems separate from the Internet and other public networks. The cost savings of being able to remotely control equipment that is often remote and hard to physically access is mostly viewed as a benefit that outweighs the risk.

Ooh, scary. According to this article, and contrary to the headline, this was an attack on an ISV, not an "energy giant." It also has absolutely nothing to do with air gapping control systems. This wouldn't even pass muster at El Reg. It's long past time that Ars got someone who did more than parrot quotes, spread FUD, and dumb things down below the average Wired reader level and actually knew anything about security, journalism, and research. The story here is allegedly Chinese hackers, their methods, their "malware," and the ISV's weaknesses, not imminent power grid meltdown.

It also has absolutely nothing to do with air gapping control systems.

I think this has to do with air gapping because they have remote access to their customers systems - since their internal remote tools or processes could have been compromised, had the hardware itself been air gapped this would not be as severe an issue, however now the hardware is possibly compromised.

I think this has to do with air gapping because they have remote access to their customers systems - since their internal remote tools or processes could have been compromised, had the hardware itself been air gapped this would not be as severe an issue, however now the hardware is possibly compromised.

Remote access how? Internet? Dial-up? Radio?

You can go far beyond this story and say it could have something to do with air gapping, but that is a different story. There is no evidence at all here that an actual power company was penetrated, that the information that was exfiltrated makes that any more likely to happen, or that a control system was even involved. It's barking up the wrong tree and sensationalism.

Mind if I ask what values you used? Seems like a step worthy of emulation

You can collect these yourself for free based on publications from each of the RIRs, or you can get them from places like ipdeny.com, countryipblocks.net, maxmind, http://www.bgpmon.net/IPtoCountry.txt, countries.nerd.dk, etc.

That seems kind of silly and naive to me. Most major business are going to have some dealings with Chinese customers or suppliers and so will want to have communications with them and not restrict the Internet this way. As far as security goes there are many more threats from IP space assigned by ARIN, especially in the USA, both because there is more of it and because the US is the only government that has been developing and using a military cyber-warfare capability. Aside from the US government, most other attacks on the Internet are criminal and commercial, fraud and industrial espionage, and are generally organized crime and not state-sponsored. Industrial espionage, which is sometimes state-sponsored, is a parasitic activity but not a damaging one.

Ooh, scary. According to this article, and contrary to the headline, this was an attack on an ISV, not an "energy giant." It also has absolutely nothing to do with air gapping control systems. This wouldn't even pass muster at El Reg. It's long past time that Ars got someone who did more than parrot quotes, spread FUD, and dumb things down below the average Wired reader level and actually knew anything about security, journalism, and research. The story here is allegedly Chinese hackers, their methods, their "malware," and the ISV's weaknesses, not imminent power grid meltdown.

I don't think ad-hominem attacks and insults are very constructive. Ars readers are reminded that posts that appear in the middle section of the front page are briefs, not in-depth reports. The point is to give a quick digest of things happening elsewhere online.

If you think there are inaccuracies in the article, please quote each specific passage and provide a one- or two-sentence explanation, with sources if possible, supporting how it's factually incorrect.

Mind if I ask what values you used? Seems like a step worthy of emulation

You can collect these yourself for free based on publications from each of the RIRs, or you can get them from places like ipdeny.com, countryipblocks.net, maxmind, http://www.bgpmon.net/IPtoCountry.txt, countries.nerd.dk, etc.

Yep, I just made one myself a ways back but there are massive numbers of sources around since it's all public, obvious information. A maintained list can be a time saver and include other known heavy spam/hack blocks, as well as help avoid accidentally cutting off non-targetted blocks. Okean.com is another source, that's what OpenBSD used to mirror. Whenever you use blanket kills though you need to be sure of your own use case and that you aren't throwing out the baby with the bathwater so to speak (sensitivity to that is turn why OpenBSD stopped mirroring that in spamd by default).

raven667 wrote:

That seems kind of silly and naive to me. Most major business

Stop right there. My home server (or for that matter any of my personal servers on the net) is not a "major business", nor, I suspect, is cdcIndc's. Even in a business setting, most are small businesses that are often entirely local in nature. There is simply no reason for anything from that area to need to access anything of mine, I have no plans to travel there, and if I ever needed a special exception then, duh, that's easily handled by whitelisting. That's what whitelists are for.

Quote:

Chinese suppliers and so will want to have communications with them and not restrict the Internet this way.

Which is fine. As I said, it's situational. But for a lot of us that's pointless and/or is dealt with via whitelists, port knocking, or other means. Even in the case of suppliers, if it's not a rapid and unpredictable change whitelists may still be a good choice. If you're running a universal public service that's naturally a very different story. The big guys though have plenty of tools and knowledge to take care of all of this.

Quote:

As far as security goes there are many more threats from IP space assigned by ARIN, especially in the USA, both because there is more of it and because the US is the only government that has been developing and using a military cyber-warfare capability.

I could not roll my eyes any harder at this entire sentence. I'm not speaking in terms of your cute FIGHT DA MAN(1) shtick here, I'm speaking in terms of my own, personal server logs. Thank you very much but I know exactly where I'm getting spammed from and it was irritating (which was in fact the primary motivation). Blanket denies of all the Chinese and Russian stuff massively cut down my log spam, which in turn makes it easier to notice when something real might have happened.

1. I mean honestly, "US is the only government that has been developing and using a military cyber-warfare capability"? Seriously? Haha, oh wow. Even if it was true it would be irrelevant but no. Just no.

I wonder what the scale of hacking operations is like in China. In looking over my home server's access logs I'm seeing Chinese IP's being blocked almost daily due to unauthorized access attempts.

That's been happening to me as well, seems like you paint a huge target on yourself especially if you torrent. a network called just called "Chengdu Province" has been attempting to ping me for the past two weeks, also get hits in Taiwan lately too. My IP address changes every two weeks from my VPN so even if it got past my filter, it should sandbox my activity fairly well still.

Why is the Infrastructure accesible and and controllable from the Internet - what stupid moron idiot came up with that idea because he was too lazy to get off his fat ass sitting on his couch at home to go into the facility to deal with a problem ??

This is another case of "just because the capability is there and availble does not mean it's a good idea".

The Pentagon is accessible form the Internet - Nuclear Silos are accessible from the Internet - Pacemakers are accessible from the Internet - Military Drones are accessible from the Internet...and on and on...

I'm sorry but some things should really have limitations and be off-grid. I'm going to be really pissed if I get a call about how some hacker managed to play the drum solo to "Wipeout" on my grandma's pacemaker.

It's amazing and sad at the same time that someone with a litle skill - an IP address and login credentials can take control of almost anything around the planet these days.

Ooh, scary. According to this article, and contrary to the headline, this was an attack on an ISV, not an "energy giant." It also has absolutely nothing to do with air gapping control systems. This wouldn't even pass muster at El Reg. It's long past time that Ars got someone who did more than parrot quotes, spread FUD, and dumb things down below the average Wired reader level and actually knew anything about security, journalism, and research. The story here is allegedly Chinese hackers, their methods, their "malware," and the ISV's weaknesses, not imminent power grid meltdown.

I don't think ad-hominem attacks and insults are very constructive. Ars readers are reminded that posts that appear in the middle section of the front page are briefs, not in-depth reports. The point is to give a quick digest of things happening elsewhere online.

If you think there are inaccuracies in the article, please quote each specific passage and provide a one- or two-sentence explanation, with sources if possible, supporting how it's factually incorrect.

Thanks.

Methinks some research on the definition of an ad hominem attack is in order. Also, where's the insult? I pointed out your inaccuracies and you have a history of being inaccurate or just plain wrong, FUDdy, quoting people and using their authority or popularity as evidence of correctness (argumentum ad verecundiam, if you want to be fancy), being very light on details, and non sequiturs, as in this article. Ars is/was better than this. I was not debating with you and arguing against the few facts in this story, or using your character at all. The poor quality speaks for itself.

If you want me to quote passages and do your research for you, I expect a chunk of your salary in return, in advance. I would be busy for days. I'll help you out for free, in this case, as a token of my generosity. Just drop the entire last paragraph and change the headline, maybe to something like "Hackers penetrate developer of energy company management software."

That seems kind of silly and naive to me. Most major business are going to have some dealings with Chinese customers or suppliers and so will want to have communications with them and not restrict the Internet this way.

What about businesses that do not have dealings with Chinese customers? Before I changed my email filtering method many years ago, one of the methods I used involved blocking all two-letter TLDs except for ones I had a need to communicate with, about 3. It worked quite well. It's certainly not foolproof, and Chinese people could bounce around to avoid a block, but it takes out a significant amount of unnecessary traffic.

I didn't realize Schneider owned Telvent as well. They also purchased Control Microsystems too, another SCADA software vendor.

Telvent was always the 300 lb gorilla in the SCADA world. They supposedly did everything the "right" way and were the most secure. While no actual energy company was hacked, if the hackers got away with good info on OASYS DNA then that gives them information on how to start. I bet the companies that stuck with the Telvent VMS systems are glad they did so.

Anyone remember when we actually had rolling blackouts in California and elsewhere? That wasn't hackers attacking critical infrastructure, it was Enron. You can read all about it in books like "The Smartest Guys in the Room", or in various court transcripts. Enron deliberately damaged the critical infrastructure of the US. Most of the people involved faced no penalties and no restrictions on their activity - a good number went on to be involved in other financial shenanigans in later years.

That seems kind of silly and naive to me. Most major business are going to have some dealings with Chinese customers or suppliers and so will want to have communications with them and not restrict the Internet this way.

I'm just curious what business dealings with China you think we'd be doing with our home servers. May I have a hint? (We are nerdy, so maybe you think we go through a lot of Asian brides, perhaps?)

I'm going to look into blocking some of these, too. My BSD box has had it's logs grow up to 2.5MB per day due to unauthorised access attempts.

I agree with xoa, getting rid of the clutter makes it easy to identify real issues.

I mean honestly, "US is the only government that has been developing and using a military cyber-warfare capability"? Seriously? Haha, oh wow. Even if it was true it would be irrelevant but no. Just no.

Yeah, when I got to that bit I was thinking "This guy's either a troll mastermind or borderline retarded".

Methinks some research on the definition of an ad hominem attack is in order. Also, where's the insult? I pointed out your inaccuracies and you have a history of being inaccurate or just plain wrong, FUDdy, quoting people and using their authority or popularity as evidence of correctness (argumentum ad verecundiam, if you want to be fancy), being very light on details, and non sequiturs, as in this article. Ars is/was better than this. I was not debating with you and arguing against the few facts in this story, or using your character at all. The poor quality speaks for itself.

If you want me to quote passages and do your research for you, I expect a chunk of your salary in return, in advance. I would be busy for days. I'll help you out for free, in this case, as a token of my generosity. Just drop the entire last paragraph and change the headline, maybe to something like "Hackers penetrate developer of energy company management software."

Anyone can write things like: "It's long past time that Ars got someone who did more than parrot quotes, spread FUD, and dumb things down below the average Wired reader level and actually knew anything about security, journalism, and research."

But so far you haven't quoted a single inaccuracy in the article and provided support for why you think it's inaccurate. If my coverage is as horrible as you say it is, why are you refusing to quote specific passages and offer a rebuttal of those passages that's supported by documented facts?

Its long time past due that companies take their critical systems off the freaking Internet. The company I work at probably has more than 10-20 critical pieces of hardware accessible ether from the Intranet and are unsecured (or loose with default accounts) or are directly accessible from the Internet. There is a fine balance between what the users of the systems want (easy access from OMG everywherez) and security. Time and time again, these systems are shown to need to be off-web and secured.

But then again I tend to fall onto the side of secure it first then worry about accessing it later...

I'm no means any expert on either internet security or running remotely-administred critical infrastructure facilities, but it seems to me that if you ARE going to hook up your critical infrastructure to the intertubes - for gods' sakes DON'T accept incoming connections from all over the webs!

While security through obscurity may not really be security, a (secret) whitelist of allowed IPs would greatly GREATLY cut down the risk of ever getting hacked in the first place. Ideally, you'd only have a small handful of allowed IPs.

See... now this is the problem with clicking on the eyeball. Here is cgs claiming the article is sensationalist (which it is to a degree) but he wraps it in questions on facts and .... wait for it... sensationalistic verbal abuse (not really ad hominem) It's entertaining... maybe ... until it's aimed at me.

What a great learning lesson cgs brings about for us... no matter how right you are, or think you are... you can undermine your argument with the very words you use.

Hopefully you (cgs) will put your intelligence to better use in other articles or I will have to get all slashy eyeball on you. I did appreciate the CIDR blocks though. World... so... black... and... white... grrr.

dangoodin wrote:

cgs wrote:

Methinks some research on the definition of an ad hominem attack is in order. Also, where's the insult? I pointed out your inaccuracies and you have a history of being inaccurate or just plain wrong, FUDdy, quoting people and using their authority or popularity as evidence of correctness (argumentum ad verecundiam, if you want to be fancy), being very light on details, and non sequiturs, as in this article. Ars is/was better than this. I was not debating with you and arguing against the few facts in this story, or using your character at all. The poor quality speaks for itself.

If you want me to quote passages and do your research for you, I expect a chunk of your salary in return, in advance. I would be busy for days. I'll help you out for free, in this case, as a token of my generosity. Just drop the entire last paragraph and change the headline, maybe to something like "Hackers penetrate developer of energy company management software."

Anyone can write things like: "It's long past time that Ars got someone who did more than parrot quotes, spread FUD, and dumb things down below the average Wired reader level and actually knew anything about security, journalism, and research."

But so far you haven't quoted a single inaccuracy in the article and provided support for why you think it's inaccurate. If my coverage is as horrible as you say it is, why are you refusing to quote specific passages and offer a rebuttal of those passages that's supported by documented facts?

See... now this is the problem with clicking on the eyeball. Here is cgs claiming the article is sensationalist (which it is to a degree) but he wraps it in questions on facts and .... wait for it... sensationalistic verbal abuse (not really ad hominem) It's entertaining... maybe ... until it's aimed at me.

What a great learning lesson cgs brings about for us... no matter how right you are, or think you are... you can undermine your argument with the very words you use.

Hopefully you (cgs) will put your intelligence to better use in other articles or I will have to get all slashy eyeball on you. I did appreciate the CIDR blocks though. World... so... black... and... white... grrr.

Attabay, thanks for laying out your perspective in such a constructive way. These forums are a great place to collectively analyze subject matter, bring additional context to events, and even critique the merits of the article. Unfortunately, we humans (myself included) have an inborn tendency to get triggered when we encounter points of view that challenge our own deep-seated beliefs. I think the quality of comments really benefit when we resist the urge to strike back at people and instead objectively explore our differences.

Attabay, I hear you think the piece is to a degree sensationalist. Can you quote specific passages that you think support that view point?

Can you quote specific passages that you think support that view point?

"Hack Attack on Energy Giant..." Telvent is an IT company used by energy companies but they are more rounded than that, for instance they "service governments to eliminate paper based processes". The sub title clears it up a bit, but by then I'm hooked?

More specifically in the title, draw out the key words "hack-energy giant-threat-critical". Not to say that hackers in infrastructure subsystems is very concerning. I am interested in an article that points out that Telvent was hacked in a notable manner and that this is a pointer towards weaknesses in critical infrastructure and their ability for remote connect...

I am not expecting every ars article to research in depth so I can learn more about how and why command/control systems are connected to the internet (though that would be nice) It's articles like this that are a quick read and keep me a bit closer to the pulse of events without having a bazillion RS feeds and getting A LOT of information that I have no time to digest despite having the desire.

I wouldn't even be nit picky to mention all this other than wanting to say "slashy eyeball" which is really wrong anyway - having read through other posts cgs put out there, I would miss a lot. Everyone tripped on themselves a bit on this one.

Yep, I just made one myself a ways back but there are massive numbers of sources around since it's all public, obvious information. A maintained list can be a time saver and include other known heavy spam/hack blocks, as well as help avoid accidentally cutting off non-targetted blocks. Okean.com is another source, that's what OpenBSD used to mirror. Whenever you use blanket kills though you need to be sure of your own use case and that you aren't throwing out the baby with the bathwater so to speak (sensitivity to that is turn why OpenBSD stopped mirroring that in spamd by default).

That's a reasonable stance. Blacklists just aren't as good a whitelists because you can never enumerate everything "bad" ahead of time. In the worst case blacklists can provide a feel-good band-aid that doesn't fundamentally solve a security problem leaving the target less vigilant and more vulnerable and likely to take unnecessary risks.

xoa wrote:

raven667 wrote:

That seems kind of silly and naive to me. Most major business

Stop right there. My home server ...

I was trying to make a more general point about blacklisting not being a panacea, all "bad" things do not come from over "there".

xoa wrote:

raven667 wrote:

Chinese suppliers and so will want to have communications with them and not restrict the Internet this way.

Which is fine. As I said, it's situational. But for a lot of us that's pointless and/or is dealt with via whitelists ...

Whitelists are definitely a good thing if you are in a position to maintain them.

xoa wrote:

raven667 wrote:

As far as security goes there are many more threats from IP space assigned by ARIN, especially in the USA, both because there is more of it and because the US is the only government that has been developing and using a military cyber-warfare capability.

I could not roll my eyes any harder at this entire sentence. I'm not speaking in terms of your cute FIGHT DA MAN(1) shtick here, I'm speaking in terms of my own, personal server logs. Thank you very much but I know exactly where I'm getting spammed from and it was irritating (which was in fact the primary motivation). Blanket denies of all the Chinese and Russian stuff massively cut down my log spam, which in turn makes it easier to notice when something real might have happened.

1. I mean honestly, "US is the only government that has been developing and using a military cyber-warfare capability"? Seriously? Haha, oh wow. Even if it was true it would be irrelevant but no. Just no.

I'm glad I could be entertaining 8-). As far as cyberweapons go, I think it is an uncontroversial fact that the only real cyberweapons that have been recovered from the wild have been part of Olympic Games. There are plenty of spear-phishing attacks against industry such as the RSA and other defense contractor breaches but those have generally been data-gathering and espionage focused and not weaponized. I hope you aren't listening to Richard Clarke of "digital pearl harbor" fame as he has demonstrated that he is a know-nothing and listening to him and people like him will make one less informed rather than more.